RSA's SecurID Breach Started with Phishing Email

RSA's Art Coviello told analysts that the SecurID
attackers used a phishing email with a malicious Excel spreadsheet to penetrate the company's network.

The sophisticated attack that breached RSA's
defenses and allowed attackers to steal SecurID data appears to have begun as a
phishing attack, according to several security analysts briefed by the company.
RSA has faced some criticism from about its
internal security practices.
During a private call with security analysts, the executive chairman of RSA
Security, Art Coviello, revealed some details of how the March
17 security breach happened. During the April 1 call, Coviello also discussed
how RSA stopped the incident.

An RSA spokesperson confirmed there had
been a call with Coviello and some analysts, but declined to comment on the
content of the call.

The attack started with phishing emails sent to small groups of low-profile RSA
users that ended up in the users' email junk folders, according to Avivah
Litan, an analyst with Gartner, who was on the call. Litan believes these
low-level users are actually RSA employees.
The emails were titled "2011 Recruitment Plan" and had a malicious
Microsoft Excel spreadsheet attached, Litan
reported on her blog.
Ironically, the spreadsheet exploited the recently discovered Adobe
Flash zero-day flaw. Adobe had announced the vulnerability on March 14 and patched
it March 21. However, it appears the patch came a little too late for RSA.

Despite landing in the users' junk folders, at least one person opened the
email and the attachment, which downloaded the Trojan to the user's PC.
Attackers began harvesting credentials and "made their way up the RSA
food chain" using accounts belonging to the IT department, as well as
other employees, to gain "privileged access" to the targeted system,
Litan wrote.
"At least RSA's spam filters were
working, even if their social engineering training for employees was not,"
Litan added.
From the targeted system, attackers transferred files to an external
compromised machine at a hosting provider, at which point RSA
detected the attack thanks to its NetWitness implementation, Litan wrote.
Industry observers had speculated that RSA
must have had a network monitoring and forensics product deployed, and it
appears they were right. RSA was able to
stop the attack before more damage could be done and immediately told customers
about the attack.
The company remained vague as to when the phishing emails were sent, or how
long the attackers spent in the network bouncing between accounts, but several
months seem likely, according to Jon Oltsik, a principal analyst with the
Enterprise Strategy Group, who was also on the call. "I think that the
intelligence gathering and setup lasted awhile," he told eWEEK.
RSA was a lesson for everyone that
technology isn't enough to "detect or block attacks," said Oltsik.
"We need to train our people," he said.
While RSA "should be credited for
handling a bad situation as well as it can," Litan felt that "RSA
should have known better."
"The irony is that they don't eat their own dog food," Litan told
eWEEK. The company sells fraud detection systems based on sophisticated
profiling that use complex models to spot abnormal behavior and intervene in
real time to authenticate and reauthenticate users and transactions.
However, RSA did not apply those same
techniques to their own systems, Litan said.
RSA gave "a lot of credit" to
NetWitness for detecting the attack in real time, but it wasn't good enough, as
the "signals and scores" were clearly not high enough to prompt a
person to shut down the attack immediately, Litan said.
RSA needs to stay innovative and apply
the lessons learned from serving its clients to its own internal enterprise
systems, Litan said. This may be a function of being owned by EMC,
a "behemoth company," said Litan. She noted that many of the "best
and brightest" at RSA left after the
2006 acquisition.
"Much of the innovation has since been slowed down by the inevitable
bureaucracy," said Litan.